From 566ce2abc196adf59312282227f9d54642a4de82 Mon Sep 17 00:00:00 2001
From: Alfonso Acosta <fons@saga.xyz>
Date: Tue, 9 Dec 2025 17:35:01 +0100
Subject: [PATCH 1/2] Add remote signer support to controller templates

Add conditional logic to set REMOTE_SIGNER_ENABLED and PRIV_VALIDATOR_LADDR
when ValidatorKey is not supplied, for both CCV and non-CCV templates.
Also expose port 26658 for the privval server when using remote signer.
---
 .../templates/chainlet/chainlet-deploy.yml.tmpl.j2  | 11 +++++++++++
 .../templates/chainlet/chainlet-deploy.yml.tmpl.j2  | 13 +++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2 b/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2
index 126cfec..341f672 100644
--- a/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2
+++ b/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2
@@ -126,8 +126,15 @@ spec:
             value: "{{ .ChainPeers }}"
           - name: NODE_KEY
             value: "{{ .NodeKey }}"
+          {{- if .ValidatorKey }}
           - name: VALIDATOR_KEY
             value: "{{ .ValidatorKey }}"
+          {{- else }}
+          - name: REMOTE_SIGNER_ENABLED
+            value: "true"
+          - name: PRIV_VALIDATOR_LADDR
+            value: "tcp://0.0.0.0:26658"
+          {{- end }}
           - name: OPTS
             value: "--pruning %%% pruning_strategy %%% --json-rpc.gas-cap 50000004 --api.enable=false --grpc.enable=true"
           - name: CHAINID
@@ -200,6 +207,10 @@ spec:
             - containerPort: 8545
             - containerPort: 8546
             - containerPort: 26660
+          {{- if not .ValidatorKey }}
+            - containerPort: 26658
+              name: privval
+          {{- end }}
           resources:
             %%% controller_chainlet_resources | to_nice_yaml(indent=2) | indent(12, true) | trim %%%
           volumeMounts:
diff --git a/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2 b/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2
index e14cc83..0d0fbd6 100644
--- a/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2
+++ b/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2
@@ -86,6 +86,15 @@ spec:
             value: "%%% stake_owner_address %%%"
           - name: KEYPASSWD
             value: "%%% keychain_password %%%"
+          {{- if .ValidatorKey }}
+          - name: VALIDATOR_KEY
+            value: "{{ .ValidatorKey }}"
+          {{- else }}
+          - name: REMOTE_SIGNER_ENABLED
+            value: "true"
+          - name: PRIV_VALIDATOR_LADDR
+            value: "tcp://0.0.0.0:26658"
+          {{- end }}
           - name: AWS_ACCESS_KEY_ID
             value: "%%% aws_access_key_id %%%"
           - name: AWS_SECRET_ACCESS_KEY
@@ -132,6 +141,10 @@ spec:
             - containerPort: 8545
             - containerPort: 8546
             - containerPort: 26660
+          {{- if not .ValidatorKey }}
+            - containerPort: 26658
+              name: privval
+          {{- end }}
           resources:
             %%% controller_chainlet_resources | to_nice_yaml(indent=2) | indent(12, true) | trim %%%
           volumeMounts:

From 244d3b88301eadb566e9202d5f5c12b33a2ce9a4 Mon Sep 17 00:00:00 2001
From: Alfonso Acosta <fons@saga.xyz>
Date: Tue, 16 Dec 2025 18:16:04 +0100
Subject: [PATCH 2/2] Address review feedback

---
 .../templates/chainlet/chainlet-deploy.yml.tmpl.j2 | 14 +++++++-------
 ansible/roles/controller/defaults/main.yml         |  5 ++++-
 .../templates/chainlet/chainlet-deploy.yml.tmpl.j2 | 11 ++++-------
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2 b/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2
index 341f672..86f4b82 100644
--- a/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2
+++ b/ansible/roles/controller-ccv/templates/chainlet/chainlet-deploy.yml.tmpl.j2
@@ -126,15 +126,15 @@ spec:
             value: "{{ .ChainPeers }}"
           - name: NODE_KEY
             value: "{{ .NodeKey }}"
-          {{- if .ValidatorKey }}
-          - name: VALIDATOR_KEY
-            value: "{{ .ValidatorKey }}"
-          {{- else }}
+{% if controller_remote_signer_enabled %}
           - name: REMOTE_SIGNER_ENABLED
             value: "true"
           - name: PRIV_VALIDATOR_LADDR
             value: "tcp://0.0.0.0:26658"
-          {{- end }}
+{% else %}
+          - name: VALIDATOR_KEY
+            value: "{{ .ValidatorKey }}"
+{% endif %}
           - name: OPTS
             value: "--pruning %%% pruning_strategy %%% --json-rpc.gas-cap 50000004 --api.enable=false --grpc.enable=true"
           - name: CHAINID
@@ -207,10 +207,10 @@ spec:
             - containerPort: 8545
             - containerPort: 8546
             - containerPort: 26660
-          {{- if not .ValidatorKey }}
+{% if controller_remote_signer_enabled %}
             - containerPort: 26658
               name: privval
-          {{- end }}
+{% endif %}
           resources:
             %%% controller_chainlet_resources | to_nice_yaml(indent=2) | indent(12, true) | trim %%%
           volumeMounts:
diff --git a/ansible/roles/controller/defaults/main.yml b/ansible/roles/controller/defaults/main.yml
index 4e1a0e3..2495de5 100644
--- a/ansible/roles/controller/defaults/main.yml
+++ b/ansible/roles/controller/defaults/main.yml
@@ -26,4 +26,7 @@ controller_relayer_version: "0.4.2"
 controller_relayer_wait_time: "0"
 # Load Balancer Configuration
 controller_chainlet_external_traffic_policy: Cluster
-controller_chainlet_allocate_loadbalancer_node_ports: false
\ No newline at end of file
+controller_chainlet_allocate_loadbalancer_node_ports: false
+
+# Signer
+controller_remote_signer_enabled: false
\ No newline at end of file
diff --git a/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2 b/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2
index 0d0fbd6..9db4b86 100644
--- a/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2
+++ b/ansible/roles/controller/templates/chainlet/chainlet-deploy.yml.tmpl.j2
@@ -86,15 +86,12 @@ spec:
             value: "%%% stake_owner_address %%%"
           - name: KEYPASSWD
             value: "%%% keychain_password %%%"
-          {{- if .ValidatorKey }}
-          - name: VALIDATOR_KEY
-            value: "{{ .ValidatorKey }}"
-          {{- else }}
+{% if controller_remote_signer_enabled %}
           - name: REMOTE_SIGNER_ENABLED
             value: "true"
           - name: PRIV_VALIDATOR_LADDR
             value: "tcp://0.0.0.0:26658"
-          {{- end }}
+{% endif %}
           - name: AWS_ACCESS_KEY_ID
             value: "%%% aws_access_key_id %%%"
           - name: AWS_SECRET_ACCESS_KEY
@@ -141,10 +138,10 @@ spec:
             - containerPort: 8545
             - containerPort: 8546
             - containerPort: 26660
-          {{- if not .ValidatorKey }}
+{% if controller_remote_signer_enabled %}
             - containerPort: 26658
               name: privval
-          {{- end }}
+{% endif %}
           resources:
             %%% controller_chainlet_resources | to_nice_yaml(indent=2) | indent(12, true) | trim %%%
           volumeMounts: